Plasma: A new SMC Checker. Axel Legay. In collaboration with L. Traonouez and S. Sedwards.

Transcription

1 Plasma: A new SMC Checker Axel Legay In collaboration with L. Traonouez and S. Sedwards. 1

2 Plasma Lab A PLAtform for Statistical Model Analysis A library of statistical model-checking algorithms (Monte-Carlo, SPRT, rare events, CUSUM, nondeterminism,...) Generic analysis for any runnable language or model Easily distributed other computation grid An API that allows modularity: extendable with plugins to add new algorithms, new input languages Developed in Java 6 2

3 Plasma Lab Structure 3

4 Model Language: PRISM Input language of the model-checker PRISM: Textual language for modeling DTMC, CTMC, MDP, PTA Guarded commands transitions (systems biology): [synchro] guard rate1:(action1) + rate2:(action2) System description via modules renaming Simulink, SystemC,... And various specification languages Your language? 4

5 Model Language: PRISM: Randomised Randomised dining dining philosophers philosophers dtmc formula lfree = p2>=0 & p2<=4 p2=6 p2=10; formula rfree = p3>=0 & p3<=3 p3=5 p3=7; module phil1 p1: [0..10]; [] p1=0 -> 0.2 : (p1'=0) : (p1'=1); [] p1=1 -> 0.5 : (p1'=2) : (p1'=3); [] p1=2 & lfree -> (p1'=4); [] p1=2 &!lfree -> (p1'=2); [] p1=3 & rfree -> (p1'=5); [] p1=3 &!rfree -> (p1'=3); [] p1=4 & rfree -> (p1'=8); [] p1=4 &!rfree -> (p1'=6); [] p1=5 & lfree -> (p1'=8); [] p1=5 &!lfree -> (p1'=7); [] p1=6 -> (p1'=1); [] p1=7 -> (p1'=1); [] p1=8 -> (p1'=9); [] p1=9 -> (p1'=10); [] p1=10 -> (p1'=0); endmodule module phil2 = phil1 [p1=p2, p2=p3, p3=p1] endmodule module phil3 = phil1 [p1=p3, p2=p1, p3=p2] endmodule // labels label "hungry" = ((p1>0)&(p1<8)) ((p2>0)&(p2<8)) ((p3>0)&(p3<8)); label "eat" = ((p1>=8)&(p1<=9)) ((p2>=8)&(p2<=9)) ((p3>=8)&(p3<=9)); 5

6 Model Language: Bio Textual language for biological models: Write chemicals reactions with CTMC semantics: product1 + product2 rate-> product3 + product4 Use Gillespie algorithm for simulating biological models: The time and probability of a reaction depends on its rate and the number of species. species species A=1000,B=1000,C,D,E A=1000,B=1000,C,D,E A A ++ B B -> -> C C C C > -> D D D D -> -> E E 6

7 Properties Language: BLTL Bounded Linear Temporal Logic LTL with bounded temporal operators F<=#50 "eat" F<=#1000 ("hungry" & (X<=#1 F<=#1000 "eat")) 7

8 Using Plasma Lab GUI for Simulations liveness = F<=#1000 ("hungry" & (X<=#1 F<=#1000 "eat")) 8

9 Plasma Lab API MATLAB PLASMA Lab UI Terminal Creates new experiments Interfaces with PLASMA Controller API PLASMA Lab Model/Simulator Requirement PLASMA Lab plugins Simulink Bio RML GCSL B-LTL 9

10 Plasma Lab API Estimate the probability Confidence Level set by the user Request Simulations for Checking Controller API Executes a model Builds execution traces SMC Algorithms PLASMA Lab Model/Simulator Requirement/ Checker Decides if the property holds or not Property Monitoring during the simulations 10

11 Developing New Plugins Implement required interfaces from the API New Checker New Simulator newpath() Start a simulation simulate() Simulate one step check(path) Check a trace until the property is decided New Algorithm run() Run the algorithm Send the results Return the result 11

12 Creating a New Algorithm public class EMSIGSchool implements InterfaceAlgorithmScheduler public void run() { listener.notifyalgorithmstarted("emsig"); double res = 0.0; for(int i=0; i<nbsimu; i++) { InterfaceState path = model.newpath(); res += requirement.check(path); } } } Start Start aa new new trace trace Check Check the the trace trace and and collect collect the the result result listener.notifyalgorithmcompleted("emsig"); listener.publishresults("emsig", new SMCResult(res/nbSimu)); Send Send the the results results to to the the user user interface interface 12

13 Application1: Dali European project Application of SMC beyond formal verification A trolley to guide an old lady in a commercial center Point of interest/repulsion Embedded application, beyond software Limited ressources Hot topic: national press, euronews,... 13

14 Objectives EC EC Grant Grant Agreement Agreement n. n Develop technologies to provide our system with a robust decision making mechanism that plans the motion of the AP from a source to a destination. The motion is in an environment populated by human agents and fixed obstacles. The objective is to keep in check the probability of accidents or hazards by offsetting possibly uncooperative behaviours of the AP.

15 Challenges EC EC Grant Grant Agreement Agreement n. n To build a mathematical model to reason on the AP in its environment To design a planning algorithm; this algorithm will rely on the math model The resulting algorithm has to be embedded in the trolley This requires to model sensors and external environment as mathematical objects.

16 Approach EC EC Grant Grant Agreement Agreement n. n A Markovian model that tracks the status of the AP and its environment The model is parametrised with variables representing the external environments 'Social force' model to reason on human motions in crowded areas Social force together with Statistical Model Checking helps the planing algorithm (motion planer) to predict safe moves for the AP

17 The social force model EC EC Grant Grant Agreement Agreement n. n We need to model human behavior in a crowded environment We have adopted the 'social force model' (SFM) The SFM models groups of people having goals, using repulsive and attractive social forces E.g., as the AP gets closer to an object it reduces its speed and changes its trajectory; if the object is further than 5m, the AP makes no change to its trajectory.

18 Task 3.1: The social force model EC EC Grant Grant Agreement Agreement n. n

19 EC EC Grant Grant Agreement Agreement n. n Task 3.1: Mathematical elements of the social force model objectives + hypothesised trajectory social + physical forces random movement actual position actual velocity reaction time mass

20 Two types of planing EC EC Grant Grant Agreement Agreement n. n Approach: We distinguish between local and global planning Statistical model checking helps to make the best and most natural decision in highly dynamical environment (local planning) Predictor uses social forces combined with statistical algorithms

21 Planning EC EC Grant Grant Agreement Agreement n. n

22 Two types of planning EC EC Grant Grant Agreement Agreement n. n The global planning uses 'static' information: it assumes the existence of a map and uses algorithms from GPS technology to derive the best path to reach a goal starting from an initial point The local planning uses dynamic information: the algorithm takes account of the global goal and sensor information the objective is to follow the path suggested by the local planner and avoid collisions The local planner is constantly active. The global planner is re-activated when overall progress is too slow or when user objectives change (future work).

23 Local planning EC EC Grant Grant Agreement Agreement n. n The challenge is to cope with unpredictable moving objects and environmental changes to avoid collisions First level: mathematical (social force) model alone, not sufficiently reactive / predictive Second level: manage mathematical model with statistical model checking (SMC) using PLASMA PLASMA uses long term predictive simulations to derive the best path to be followed locally

24 Motion planner architecture EC EC Grant Grant Agreement Agreement n. n

25 Statistical Model Checking EC EC Grant Grant Agreement Agreement n. n Verify temporal properties on paths assumes a stochastic model estimates probability of property with error bound Simulations provided by SFM Logic encodes high level objectives minimum distance, maximum time, etc. e.g. dist. between user xu and others xi dist. between user xu and objective w Enhances predictive power of SFM

26 Initial information EC EC Grant Grant Agreement Agreement n. n position + velocity global plan At each step, we know: our position and velocity where we want to go last position and velocity of others waypoint

27 SFM without correction EC EC Grant Grant Agreement Agreement n. n SFM uses initial information to predict future positions and trajectories grey areas show possible trajectories due to random fluctuations of SFM Without correction, agents may get arbitrarily close potential for collision

28 EC EC Grant Grant Agreement Agreement n. n SFM + SMC using hypothesised alternative directions We cannot directly change the trajectories of others We can change our own trajectory At each step we hypothesise alternative initial directions initial angular impulses, e.g., {-60, -30, 0, 30, 60} deg. perform SMC using hypothesised direction check property against multiple simulated paths select direction that maximises success fewest problems (collisions, stress) least perturbation to current trajectory

29 Demos EC EC Grant Grant Agreement Agreement n. n Simulations of agents and c-walker moving in various environments Each agent respects the SFM with randomness Every agent has a goal to reach in the environment The c-walker has given a path in the environment: global path Objective for the c-walker: follow the global path with no collision 11/17/11 WPn - Title 32

30 Demo Without SMC EC EC Grant Grant Agreement Agreement n. n The evolution of the system follows just the SFM The c-walker moves according to the forces suggested by its objective and the SFM alone 11/17/11 WPn - Title 33

31 Motion planning with SFM alone EC EC Grant Grant Agreement Agreement n. n

32 Demo With SMC EC EC Grant Grant Agreement Agreement n. n The c-walker uses SFM to predict multiple probable future paths of the agents within the sensor range The c-walker moves according to the forces suggested by SFM and the movement direction suggested by PLASMA 11/17/11 WPn - Title 35

33 Motion planning with SFM + SMC EC EC Grant Grant Agreement Agreement n. n

34 EC EC Grant Grant Agreement Agreement n. n Demo With SMC + SFM in complex environment A more realistic demonstration of the motion planner A complex environment of fixed obstacles moving agents Algorithm must track and simulate multiple trajectories in real time

35 EC EC Grant Grant Agreement Agreement n. n Motion planning in a complex environment

36 Performance on typical hardware EC EC Grant Grant Agreement Agreement n. n Probability of success (avoiding collisions and reaching goal) ~ 0.14 with SFM alone ~ 0.70 with SFM + SMC Implemented on embedded computing device (Beagleboard) no optimisations yet, but... Ability to re-plan every 500ms ~ 92% of the time for simple scenario ~ 55% of the time for complex scenario

37 Application two: MATLAB/Simulink Graphical modeling language for dynamic systems Block library for continuous and discrete signals Sources Constant Constant value: value: Signal transformation Product, Product, sum: sum: Gain: Gain: Inputs: Inputs: Periodic Periodic signals: signals: Signals composition Integrator: Integrator: Logical Logical operation operation (AND, (AND, OR, OR, ) ) Comparison: Comparison: (<, (<, <=, <=, >=, >=, >, >,...)...) Signals Signals routing: routing: 40

38 MATLAB/Simulink Stateflow charts for discrete state automata: Hierarchical description with subsystem: Custom S-function blocks to include C-code: 41

39 Fault-Tolerant Fuel Control System A hybrid system with continuous and discrete dynamics: Robust control of the fuel distribution of a gasoline engine 4 sensors: throttle, speed, exhaust gas (EGO), and air pressure (MAP) If a sensor fails, the control system is dynamically reconfigured for uninterrupted operation 42

40 Fault-Tolerant Fuel Control System Original Original model model Manual switches 43

41 Fault-Tolerant Fuel Control System Simulation Simulation with with manually manually triggered triggered failures failures Speed sensor failure EGO sensor repaired EGO sensor failure Speed sensor repaired 44

42 Fault-Tolerant Fuel Control System Introducing Introducing random random failures failures Replaced by random failure generators 45

43 Random failures generator Generates random failures according to a Poisson probability distribution. Failures last 1 t.u. and then are automatically repaired. Poisson probability distribution Repair timer Stateflow chart 46

44 Poisson distribution subsystem Generate failures at regular time intervals: Parameterized by the fault mean interval (lambda). Select a random number rnd using a C-code random generator. The time of the next failure is: t=-log(rnd)*lambda Use a Stateflow chart to update the sensor status. 47

45 Poisson distribution subsystem C-code C-code Stateflow Stateflow chart chart static bool init = true; if(init) { init = false; int t = time(); srand(t); } double rnd; rnd=((double) rand() / (RAND_MAX)) ; y0[0] = rnd; 48

46 Random failures generator 49

47 SMC Analysis Compute the probability that fuel distribution is stopped for at least 1 t.u. : 50

48 Plasma/Simulink Interface A MATLAB plugin for Plasma Lab: Implements the simulator interfaces of Plasma API: public class MatLabIdentifier implements InterfaceIdentifier (to show the results) public class MatLabSessionFactory implements AbstractModelFactory (to build the model) public class MatLabSessionModel extends AbstractModel (newpath, simulate) public class MatLabState implements InterfaceState (Type of state) Use the matlabcontrol Java API to control Simulink simulations: Create a MatlabProxy object Call proxy.eval(string), proxy.feval(sring, Object), or proxy.returningeval(string, int) to launch MATLAB commands 51

49 Plasma/Simulink Interface factory.getproxy() Matlabcontrol Matlabcontrol Proxy Proxy proxy.eval(string) proxy.feval(string,object) Plasma Plasma Lab Lab MATLAB MATLAB Plugin Plugin proxy.returningeval(string,int) MATLAB MATLAB Plasma Plasma Lab Lab SMC SMC algorithm algorithm 52

50 Plasma/Simulink Simulation Trace Plasma receives the values of the signals that are logged in Simulink Time is discretized: According to the sample time of Simulink blocks At each occurrence of a discrete event in Stateflow charts 53

51 Plasma/Simulink GUIs Plasma MATLAB plugin can used: From Plasma Lab main GUI From Plasma2Simulink GUI, a small App that can be installed in MATLAB Launch Plasma2Simulink from MATLAB 54

52 Interface 55

53 SMC Analysis Compute the probability that fuel distribution is stopped for at least 1 t.u. : Sensor fault rates (Speed, EGO, MAP) Failure probability (3, 7, 8) (10, 8, 9) (20, 10, 20) 0.07 (30, 30, 30)

54 A Pig Shed Case Study Temperature controller of a pig shed Internal temperature is subjected to random variations. (number of pigs, external temperature) Regulate the temperature by activating fan and heater. Fan and heater are subjected to random failures. Objectives: check and optimize the controller: Internal temperature must remain comfortable. Minimize heating and cooling costs. 57

55 A Pig Shed Case Study Random events Discomfort Cost DiscomfortValue Logged signals 58

56 A Pig Shed Case Study Quantitative Verification Monte-Carlo Monte-Carlo analysis analysis with with t1 t1 == t.u. t.u. Precision Precision 0,01 0,01 Confidence Confidence 0,01 0,01 59

57 A Pig Shed Case Study Quantitative Verification Monte-Carlo Monte-Carlo analysis analysis with with t1 t1 == t.u. t.u. Precision Precision 0,01 0,01 Confidence Confidence 0,01 0,01 60

58 A Pig Shed Case Study Quantitative Verification Monte-Carlo Monte-Carlo analysis analysis with with t1 t1 == t.u. t.u. t2 t2 == t.u. t.u. Precision Precision 0,01 0,01 Confidence Confidence 0,01 0,01 Without Without failures failures With With failures failures 61

59 A Pig Shed Case Study Optimisation Use Monte-Carlo to estimate the expected values of two variables: Compute the results for several values of initial parameters: Cost DiscomfortValue THeaterOn between [15,20] THeaterOff between [15,20] TFanOn between [20,25] TfanOff between [20,25] With additional constraints: TFanOff < TFanOn THeaterOn < THeaterOff THeaterOn < TFanOn 62

60 A Pig Shed Case Study Optimisation Select the best values over the the 225 configurations Without Without failures failures With With failures failures 63

61 Conclusion Plasma, a new flexible SMC checker New applications Integrated inside industry tools 64